Windows Security

 md UEFI_Certs 

 Get-SecureBootUEFI -Name PK -OutputFilePath .\UEFI_Certs\PK.esl 

 Get-SecureBootUEFI -Name KEK -OutputFilePath .\UEFI_Certs\KEK.esl 

 Get-SecureBootUEFI -Name db -OutputFilePath .\UEFI_Certs\db.esl 

 Get-SecureBootUEFI -Name dbx -OutputFilePath .\UEFI_Certs\dbx.esl 

Now that we have the Secure Boot variables saved from NVRAM, we need to extract the certificates and signature hashes from the EFI Signature List (ESL) files. While Linux has an efitools package to help perform this extraction, Windows does not have a equivalent program. (If you want to port sig-list-to-certs to Windows, the source is available here )

We can still manually extract the certificates in Windows, but we will need some additional tools. First we will install the winget package manager.

 Add-AppxPackage -Path https://github.com/microsoft/winget-cli/releases/download/v1.2.10271/Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.msixbundle

 winget install --id Git.Git -e --source winget

This will install the Microsoft Git package, which includes a number of tools including openssl and the vim editor. Now we update the path variable to include the vim.exe and openssl.exe locations.

 $Env:PATH += ";C:\Program Files\Git\usr\bin" 

 cd UEFI_Certs  

We will now extract the PK certificate from the PK.esl file. First we need to dump the binary file to a hex format with xxd.

 xxd PK.esl PK.hex 

Now we can edit the hex dump with vim.

 vim PK.hex 

According to page 1717 of the UEFI specification, the GUID identifier for an x509 certificate list is:

 
		#define EFI_CERT_X509_GUID
			{ 0xa5c059a1, 0x94e4, 0x4aa7,
				{ 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 } 
			}; 
	

The next value after the x509 GUID is the UINT32 SignatureListSize value, which defines the length of the signature list including headers. We know this value is 4 bytes long because a 32-bit Unsigned Integer (UINT32) is 32 bits, and 32 bits is 4 bytes. The next 4 bytes after the GUID are:

However this is little endian, so the big endian value is 0000 03cd. In decimal, this is 973 bytes. Conveniently our hex dump has byte numbers listed in hexadecimal on the side, so we just need to find byte 03cd to find the end of the PK certificate. Scrolling down we see:

Byte 0000 03c0 is the first byte on the last line of the file. We can count from that byte to find byte 03cd; remember that every 2 hexadecimal digits are 1 byte, and 0xd in hex is decimal 13. We need to count 13 bytes, or 26 hex digits, from the start of the line. 0xfc is 13 bytes from the start of the line, so it is the last byte in the certificate. It is also also the last byte in the file. This makes sense, because there can only be one PK certificate. To extract the certificate from the file, we just need to remove the ESL header information from the beginning of the file. According to the specification, the next value in the header after UINT32 SignatureListSize is UINT32 SignatureHeaderSize. Scrolling back to the top of the file we see:

The next 4 bytes after cd03 0000 is 0000 0000, so the signature has no header. (Note this is the signature header not ESL header). After UINT32 SignatureHeaderSize is UINT32 SignatureSize:

This is b103 0000 which is 0000 03b1 in big endian, so there are 03b1 bytes in the signature. The specification states that SignatureSize may vary but shall always be 16 (size of the SignatureOwner component) + the size of the certificate itself. This means that the next 16 bytes are the SignatureOwner which should not be included in the certificate:

The next 16 bytes are ce4d 5670 fc9a e34e 85fc 9496 49d7 e45c. This means our certificate should start with 3082 039d. We need to delete all bytes before 0x3082 to extract the x509 certificate for the PK. Unfortunately, we can't delete bytes from a hex dump in this format in vim (with line numbers and ASCII) so we need to reformat the output.